File size

File size

File size

File size

File size

233.1 MB

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer.

This installment goes over the Event Tracing for Windows (ETW) buffers in a kernel mode dump or live session. The ETW buffers can be extracted from the dump and viewed using the Windows Performance Toolkit (WPT). The buffers give you insight in to what has beem happening recently on the computer.

We use these commands:

!wmitrace.strdump

!wmitrace.logsave 0xNN c:\example.etl

!wmitrace.eventlogdump 0xNN

!wmitrace.help

Make sure you watch Defrag Tools Episode #1 and Defrag Tools Episode #23 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbol and source code resolution. This episode shows how install the Windows Performance Toolkit.

that you also use xperfview shows me that all my complains during betatest where right. I said this so many times to Michael when still he was the PM of WPT/XPERF/XPERFVIEW. WPA is a terrible bad UI with blurry graphs and so many scrollbar all over the time. It sucks so much

I may have missed something but what kind of dump does it have to be to use these commands, minidump is not supported, correct? so it has to be a full dump? I am sorry if I did not pay enough attention and missed something, the whole episode went by really fast.

@s3curityConsult: I don't think you missed it - pretty sure I never pointed that out. The buffers are pool memory in the kernel, so you need a kernel (2) or complete (1) dump. Kernel is the default up to win8, the win8 default is automatic, which is kernel or complete based on pagefile size. You want the c:\windows\memory.dmp file, not the c:\windows\minidump files.

@loverboy: WPRUI works on Win7 too (not supported, but it works).@loverboy: kernel.etl is the kernel mode buffers, user.etl (not made here) would be the user mode buffers. The result.etl is the merge of these two, plus, it add the required information to resolve symbols. (The raw buffers just have pointers. The merge adds the module info so that offset can be mapped back to a funcion name via a symbol)

Talking about WPA(and/or XPerfView) ... when you analyze on a 64bit PC a .etl taken on a 32bit machine, do you have to use the 32bit version (like windbg) or on a 64bit PC you have to use WPA or XPerfView 64bit version anyway?

Now it gives an errorC:\Program Files\Windows Performance Toolkit>Recording_Example.batPress a key when ready to start...Premere un tasto per continuare . . .....Capturing....xperf: warning: This system is not fully configured for x64 stack tracing.Please modify the registry under:

Remove this comment

Remove this thread

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation,
please create a new thread in our Forums, or
Contact Us and let us know.